SHYLOCK

Shylock Malware - a core piece of technology that is enabling wider, large scale digital criminality

11th July 2014

The internet provides a wealth of opportunity to commit illegal activity and conduct acts of digital crime at large scale. The connectivity and anonymity it provides enables the exploitation of weakened websites, and allows the targeting of vulnerable users through a mix of malicious software and social engineering.

Sophisticated malware such as Shylock, described in a whitepaper by our Threat Intelligence team last year, is a core piece of technology that enables wider digital criminality, including money-laundering and re-shipping scams looking to commit fraud at scale.

We have issued this note to help organisations understand and counter this threat. Our infographic explains how this malware fits into the wider ‘target set’ – a network of criminals, victims, infrastructure, and malware; and the 'collaborative set' - those who work to pursue, disrupt and mitigate the threat. We are today releasing a new technical appendix containing domains and name-servers used by the Shylock malware. Organisations can use this information to check their logs for evidence of compromise or block these to prevent further communications with them.

We are keen to encourage collaboration and information sharing across industries, for further information please contact us at learn@baesystems.com. If you are concerned you may have been a victim of a cyber attack and need assistance in investigating this, please contact our Cyber Incident Response Team on:

BAE Systems Applied Intelligence today announces that cyber criminals are targeting the UK with one of the world’s most sophisticated pieces of malware. The Shylock malware is one of the fastest growing threats posed by cyber criminals today, and its creators have built a platform over the last two years that allows them to commit large scale targeting and theft of sensitive banking data.

The criminal gang operating the malware is currently targeting a small number of geographic regions and worryingly the UK has been a priority target. BAE Systems Applied Intelligence's research shows that the malware is being distributed through compromised legitimate websites, and from a sample of over 500 identified, 61% of them were UK websites. Furthermore, over three-quarters (80%) of the banks being targeted over the past two years have been UK banks.

The research, unveiled today, also illustrates the advanced techniques the Shylock malware creators have used to remain undetected by traditional security defences. There are even clues which suggest the operators are working a five-day week, indicating that these are professional and well-organised criminals.

BAE Systems Applied Intelligence's analysis of the malware also reveals that its modular framework allows a serious ‘future upgrade’ potential and is consequently likely to return in different guises.

Shylock is typical of the increased shrewdness of cyber attackers over the past year, which has seen a shift towards ‘drive-by’ or ‘watering hole’ attacks rather than conventional phishing e-mails. The shift underlines the agility of cyber attackers to adapt when previously successful avenues are closed off by improved security.

“Today’s revelations are a reminder of the agility of malicious cyber criminals and the fact that the UK is a prime target for damaging cyber attacks. The Shylock malware is highly sophisticated, and it is only through intuitive threat intelligence work and the continuing evolution of our cyber security technologies that its exact characteristics have been successfully detected.

“Counteracting the threat posed by Shylock will rely on co-operation from multiple entities including the security research community, industry groups, the finance sector, and international law enforcement. Raising awareness of how the threat actors operate is the first step in this process.”

In order to help raise awareness of the malware, BAE Systems Applied Intelligence is not just highlighting the criminals’ techniques but also providing actionable intelligence which allows organisations to identify compromises, and law enforcement to pursue the perpetrators.